[SOLVED] An idiot try nftables

Message

kgdrenefort · Post by **kgdrenefort** » Wed May 15, 2024 1:41 pm

Hello,

After some try, I am able to close 22, 80 & 443 (reject rules) as desired.

But I'm seeing a behaviour I do not understand.

I tested to open these port with nc -l XXX, without any ruleset I can use telnet to touch them. It works. Hitting localhost and the port gives these output:

But if I close them, and then try to telnet them, they all three act differently:

- 80:

Code: Select all

meself@Mephistopheles ~ $ telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

- 443:

Code: Select all

meself@Mephistopheles ~ $ telnet 127.0.0.1 443
Trying 127.0.0.1...

In hangs until a bit later it gets timed out:

Code: Select all

meself@Mephistopheles ~ $ telnet 127.0.0.1 80
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

- 22:

Code: Select all

meself@Mephistopheles ~ $ telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.

Does not even timeout.

I guess for SSH it's about a timeout value in the server side configuration, but actually I opened 22 with nc, after stopping SSH. If I re-run SSH and try with the reject rules:

Code: Select all

meself@Mephistopheles ~ $ telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.6

From my LAN on another computer:

Code: Select all

$ telnet 192.168.1.103 22
Trying 192.168.1.103...
telnet: Unable to connect to remote host: Connection refused

But behaviour is the same if I hit 192.168.1.103 from the same machine (with the firewall), once SSH is running again.

And from this other machine, other ports act the same.

It seems to act the same way with drop instead of reject.

I'll go deeper into my test and try to setup a small nginx only for the purpose to test these in a more real-life condition.

Actual ruleset:

Code: Select all

Mephistopheles /etc # nft -s list ruleset 
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state { established, related } counter accept comment "accept all connections related to connections made by us"
		iif "lo" accept comment "accept loopback"
		iif != "lo" ip daddr 127.0.0.0/8 counter drop comment "drop connections to loopback not coming from loopback"
		iif != "lo" ip6 daddr ::1 counter drop comment "drop connections to loopback not coming from loopback"
		ip protocol icmp counter accept comment "accept all ICMP types"
		meta l4proto ipv6-icmp counter accept comment "accept all ICMP types"
		tcp dport 22 counter drop comment "accept SSH"
		tcp dport 80 counter drop comment "accept HTTP"
		tcp dport 443 counter drop comment "accept HTTPS"
		counter comment "count dropped packets"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		counter comment "count dropped packets"
	}

	chain output {
		type filter hook output priority filter; policy accept;
		counter comment "count accepted packets"
	}
}

Regards,
GASPARD DE RENEFORT Kévin

nicop · Post by **nicop** » Wed May 15, 2024 1:55 pm

You can't test your firewall from/to localhost.

Use a web service https://portchecker.co/ or nmap with another machine.

kgdrenefort · Post by **kgdrenefort** » Thu May 16, 2024 9:22 am

Hello,

Thanks for the tip.

It seems to run pretty much good, yesterday I had to open port (UDP) 30001 for a LAN connection to join a Minetest server, it worked once I added the rule.

I guess now it'll be about adding some other rules to improve a bit my security (blocking XMAS packets and such) to be sure nobody can do weirds connection or attempt to my firewall.

I consider this topic solved.

Thanks for your time and patience everyone, as always.

Regards,
GASPARD DE RENEFORT Kévin

nicop · Post by **nicop** » Sat May 18, 2024 5:16 am

kgdrenefort wrote:I guess now it'll be about adding some other rules to improve a bit my security (blocking XMAS packets and such) to be sure nobody can do weirds connection or attempt to my firewall.

Here is a netdev table you can use as a simple example:

Code: Select all

table netdev filter {
        chain ingress {
                type filter hook ingress priority -450; policy accept;
                ip frag-off & 0x1fff != 0 counter drop comment "Drop IP fragments"
                tcp flags fin,psh,urg / fin,psh,urg counter drop comment "Drop tcp 'xmas' packets"
                tcp flags ! fin,syn,rst,psh,ack,urg counter drop comment "Drop tcp packets with no flags"
                tcp flags syn tcp option maxseg size 1-535 counter drop comment "Drop tcp packets with mss <536"
                }
}

And set devices with postup/predown for each interface in /etc/conf.d/net :

Code: Select all

postup() {
        nft add chain netdev filter ingress "{ devices = { ${IFACE} }; }"
}

predown() {
        nft delete chain netdev filter ingress "{ devices = { ${IFACE} }; }" 2>/dev/null
}